A Russian government-sponsored cyberespionage group has been accused of using a leaked NSA hacking tool in attacks against one Middle Eastern and at least seven European hotels in order to spy on guests.

Why reinvent the wheel, or a hacking tool, when the NSA created such an effective one? The NSA’s EternalBlue was leaked online by the Shadow Broker in April. Now the security firm FireEye says it has a “moderate confidence” that Fancy Bear, or APT28, the hacking group linked to the Russian government and accused of hacking the Democratic National Committee last year, added EternalBlue to its arsenal in order to spy on and to steal credentials from guests at European and Middle Eastern hotels.

In a campaign aimed at the hospitality industry, attackers leveraged a malicious document in spear-phishing emails. The “hostile hotel form,” which Microsoft Threat Intelligence Center General Manager John Lambert tweeted about in July, appeared to be a hotel reservation document. If macros were allowed to run on the computers used by the hotel employees who opened it, then Fancy Bear’s Gamefish malware would be installed.

Fancy Bear, according to a report by the security firm FireEye, used “novel techniques involving the EternalBlue exploit and the open source tool Responder to spread laterally through networks and likely target travelers. Once inside the network of a hospitality company, APT28 sought out machines that controlled both guest and internal Wi-Fi networks.”

The Gamefish malware would download and run EternalBlue to spread to computers which were connected to corporate and guest Wi-Fi networks. After gaining access, Fancy Bear deployed Responder which listens for “broadcasts from victim computers attempting to connect to network resources.” Responder, FireEye explained, “masquerades as the sought-out resource and causes the victim computer to send the username and hashed password to the attacker-controlled machine.”

“It’s definitely a new technique” for Fancy Bear, FireEye’s cyber espionage researcher Ben Read told Wired. “It’s a much more passive way to collect on people. You can just sit there and intercept stuff from the Wi-Fi traffic.”

While FireEye didn’t observe business travelers’ credentials being stolen via hotel Wi-Fi networks in July, the security firm cited a similar hotel attack by Fancy Bear in 2016.

The latest hotel attacks, FireEye added, “is the first time we have seen APT28 incorporate this exploit [EternalBlue] into their intrusions.” While the investigation is still going on, FireEye told Reuters it is “moderately confident” that Fancy Bear is behind the attacks. “We just don't have the smoking gun yet.”

The targeted hotels were not named, but were described as the type where valuable guests would stay. FireEye told Wired, “These were not super expensive places, but also not the Holiday Inn. They’re the type of hotel a distinguished visitor would stay in when they’re on corporate travel or diplomatic business.”

FireEye wants travelers, such as business and government personnel, to be aware of the threats like having their information and credentials passively collected when connecting to a hotel’s Wi-Fi. While traveling abroad, high value targets should “take extra precautions to secure their systems and data. Publicly accessible Wi-Fi networks present a significant threat and should be avoided whenever possible.” Wired suggested the safest approach for travelers is to bring their own hotspot and altogether skip connecting to the hotel’s Wi-Fi.